Cybersecurity Researcher · Developer · Builder

I break, verify, patch, and build.

I am Ali Firas, a source-code-focused cybersecurity researcher and builder with a strong interest in real-world vulnerability discovery, precise proof-of-concept development, technical reporting, and secure product engineering. My work connects offensive analysis, defensive thinking, and clean execution into one workflow.

Explore CVE Portfolio GitHub Profile
0
Listed CVEs
0
Core Focus Areas
0
Research Mindset

Threat Radar

Signals across code, logic, trust boundaries, and impact surfaces.

research_session.log
>Focus: source code auditing, PoC validation, disclosure workflow
>Method: reproduce → isolate root cause → measure impact → propose fix
>Style: precise, evidence-driven, patch-aware, publication-ready
>Current mode: research / reporting / builder mindset

About Me

I treat security research as a disciplined engineering process: understand the system, model the trust boundaries, reproduce the flaw cleanly, then communicate the result in a way maintainers can act on fast.

My work lives at the intersection of vulnerability research, secure software design, proof-driven reporting, and technical product building. I enjoy digging into source code, reasoning about exploitability, and turning findings into clear technical narratives that include root cause, realistic threat models, impact framing, and remediation paths.

Source Code Review PoC Development Threat Modeling Patch Validation Coordinated Disclosure Developer Workflow

Research Identity

I care about findings that are technically honest and practically useful. That means no inflated claims, no weak assumptions, and no vague impact language. I prefer reproducible evidence, exact code paths, realistic attacker models, and fixes that fit maintainers' codebases.

Precision

Root-cause-first analysis with technical clarity and clean reproduction paths.

Execution

Move from idea to report, patch, PR, or advisory without losing depth.

Core Expertise

Security research is strongest when technical depth and communication quality move together. These are the areas that define how I work.

Vulnerability Research

I analyze application and library behavior for logic flaws, input validation failures, unsafe assumptions, race conditions, file handling issues, and client-side or server-side impact paths.

01

Proof-of-Concept Engineering

I convert suspected issues into clean demonstrations that prove the bug, isolate the attack path, and support accurate severity discussions without overclaiming.

02

Technical Reporting

I build reports around root cause, conditions, exploitation logic, attack surface, affected versions, remediation direction, and publication-ready language.

03

Impact Workflow

The strongest findings usually come from following a repeatable path instead of chasing hype. This is the sequence I lean on the most.

Step01

Map the Trust Boundary

Find where untrusted input crosses into sensitive logic, file operations, rendering, authorization, or state transitions.

Step02

Reproduce Cleanly

Build a minimal but realistic path that demonstrates the flaw with stable evidence and without unnecessary noise.

Step03

Frame the Real Risk

Describe what the flaw allows, what constraints matter, and which attack scenarios remain realistic in practice.

CVE Portfolio

A curated list of public identifiers associated with my disclosed work, including linked source references and related tracker IDs.

CVE-2025-63095

DoS via improper input validation in hello-video-codec.

Public
EUVD-2025-199991 CNNVD-202512-067 PT-2025-48451
NVD CVE Record

CVE-2025-59717

Type confusion / filter bypass issue in @digitalocean/do-markdownit.

Public
EUVD-2025-30235 CNNVD-202509-3044 PT-2025-38507
NVD GitHub Advisory

CVE-2025-59716

Unauthenticated user enumeration in ownCloud Guests registration flow.

Public
EUVD-2025-37881 CNNVD-202511-387 PT-2025-45141
NVD CVE Record

CVE-2025-67125

Signed integer overflow issue in docopt.cpp with downstream distro tracking.

Public
EUVD-2026-4308 UBUNTU-CVE-2025-67125 DEBIAN-CVE-2025-67125 PT-2026-4472 CNNVD-202601-4006
NVD CVE Record

CVE-2025-67124

TOCTOU + symlink race in miniserve upload finalization path.

Public
EUVD-2026-4261 PT-2026-4471 CNNVD-202601-4008
NVD CVE Record

CVE-2025-13437

zx cleanup path issue leading to unintended external node_modules deletion.

Public
EUVD-2025-198297 CNNVD-202511-2323 PT-2025-47601
NVD GitHub Advisory

CVE-2026-25500

Stored XSS in Rack::Directory via javascript:-prefixed filenames.

Public
DEBIAN-CVE-2026-25500 UBUNTU-CVE-2026-25500 USN-8066-1 PT-2026-20325 CNNVD-202602-2768
NVD GitHub Advisory

Connect

Research, collaboration, responsible disclosure, technical networking, and portfolio access.

Profile Snapshot

Cybersecurity researcher focused on source code, exploitability analysis, technical reporting, and high-signal disclosure workflows. I like findings that stand up technically, read clearly, and help maintainers fix fast.

Cybersecurity Research Reporting Builder

Research with proof. Impact with discipline.

Ali Firas - thesmartshadow. Cybersecurity researcher focused on credible findings, clear evidence, strong technical reporting, and public work that holds up under review.

focus: vulnerability research / exploitability analysis
workflow: reproduce / validate / report / improve
identity: Ali Firas / thesmartshadow